EAP-TLS and IOS 13

Gregory Sloop gregs at sloop.net
Mon Nov 4 22:33:33 CET 2019

[Replying direct, so as not to clutter the list/thread.]

Ted - I'm probably hours to a day or two from trying to setup the same on a fleet of iPads.

Given the back-and-forth, I'm not at all clear what the "solution" is.
I'd be eternally grateful if you'd post a summary of the issues, especially once you fix them, to the list. :)

It doesn't sound like we really understand all the issues with certs 
[2 years lifetime limit, really? - My certs generally have 10y lifetimes! I don't want to push new certs to all the ipads in two years!] - but again, as it becomes clear, it would be a super big help to me. [I'm certainly fluent on istuff - but it's often weird and hard to figure out how to make it work on both Windows and iOS/MacOS - at least without generating certs/keys in formats specially for Apple stuff. [p12's for example]

[I use GNUTLS for CA/cert/key generation - so I'll have to find a way to do it there, or use openssl - we'll see.]

Anyway - Thanks in advance!


THR> I love *pple. And by love I mean exactly the opposite.....Regardless, my
THR> many thanks to all that assisted with my tribulations and blatherings 
THR> regarding getting ipads and Win10 machines working with an EAP-TLS 
THR> environment. As of this morning I had everything migrated, wiped, 
THR> re-tested, full bare-metal automation tested and ready to deploy to the
THR> minions. I had a very happy moment.

THR> Until someone walked in with an ipad that they just upgraded to IOS 13.

THR> tl/dr: IOS13 introduces more stringent compliance for certificates 
THR> (https://support.apple.com/en-us/HT210176) and that means certificates
THR> that used to work for EAP, now do not install - well that's not true. 
THR> They install, they say they're verified, but the ipad does not recognize
THR> them as useful, and ONLY presents a TTLS-like connection interface 
THR> (username and password, instead of certificate and identity). They 
THR> simply sit there all happy and useless. (BTW, manual cert install is now
THR> an 8 page document in my library, including download, allow,accept, 
THR> enable Cert Trust Settings, install, validate and....then watch do 
THR> nothing.) Since the ipad does not present a tls transaction, FR3 doesn't
THR> participate. I am not using EAP-TTLS, so that module does exactly what
THR> is it supposed to do - find no verified username and reject.

THR> I've used my google-fu to get the basic idea of modifying the openssl 
THR> commands to include the EKU, and sha2, but some of the other 
THR> requirements I'm not sure about implementing. The "no longer than 2 
THR> years" is also a PITA. Either way, has anyone worked out a magic bullet
THR> for this yet? Amazingly, M$ is no longer on my hated list - the Win10 
THR> machines are now in the "it simply works" category! Longing to learn 
THR> from the masters, yet again!

THR> Thanks,

THR> Ted.

More information about the Freeradius-Users mailing list